Jump to content

Rootkit, Trojan disappear??


Recommended Posts

Here's my MBAM log:

Malwarebytes' Anti-Malware 1.36

Database version: 1959

Windows 5.1.2600 Service Pack 3

4/9/2009 12:02:05 PM

mbam-log-2009-04-09 (12-02-05).txt

Scan type: Full Scan (C:\|F:\|)

Objects scanned: 136022

Time elapsed: 24 minute(s), 43 second(s)

Memory Processes Infected: 0

Memory Modules Infected: 0

Registry Keys Infected: 0

Registry Values Infected: 0

Registry Data Items Infected: 0

Folders Infected: 0

Files Infected: 0

Memory Processes Infected:

(No malicious items detected)

Memory Modules Infected:

(No malicious items detected)

Registry Keys Infected:

(No malicious items detected)

Registry Values Infected:

(No malicious items detected)

Registry Data Items Infected:

(No malicious items detected)

Folders Infected:

(No malicious items detected)

Files Infected:

(No malicious items detected)

Link to post
Share on other sites

  • Root Admin

eeek... I saw the Panda in your log and assumed you were running that. Now it looks like it was maybe only an online scanner.

You do not appear to have any Anti-Virus installed. That is a NO NO

Please install an Anti-Virus product ASAP and update it and do a Full System scan.

If you don't have one and are not sure then I would suggest the Avira AntiVir Personal - FREE Antivirus

Please scan your system with Anti-Virus and let me know what it finds. Thanks.

Link to post
Share on other sites

I thought that buying the protection module for MBAM was taking care of my anti-virus protection. Geez. I wish I had understood that better. I used to use Trend Micro but got rid of it when I got MBAM.

OK, I downloaded and ran Avira. Here is what it said:

Avira AntiVir Personal

Report file date: Thursday, April 09, 2009 16:45

Scanning for 1284893 virus strains and unwanted programs.

Licensee : Avira AntiVir Personal - FREE Antivirus

Serial number : 0000149996-ADJIE-0000001

Platform : Windows XP

Windows version : (Service Pack 3) [5.1.2600]

Boot mode : Normally booted

Username : SYSTEM

Computer name : KAREN-FC4119C57

Version information:

BUILD.DAT : 9.0.0.386 17962 Bytes 3/11/2009 15:55:00

AVSCAN.EXE : 9.0.3.3 464641 Bytes 2/24/2009 19:13:26

AVSCAN.DLL : 9.0.3.0 40705 Bytes 2/27/2009 17:58:24

LUKE.DLL : 9.0.3.2 209665 Bytes 2/20/2009 18:35:49

LUKERES.DLL : 9.0.2.0 12033 Bytes 2/27/2009 17:58:52

ANTIVIR0.VDF : 7.1.0.0 15603712 Bytes 10/27/2008 19:30:36

ANTIVIR1.VDF : 7.1.2.12 3336192 Bytes 2/11/2009 03:33:26

ANTIVIR2.VDF : 7.1.2.105 513536 Bytes 3/3/2009 14:41:14

ANTIVIR3.VDF : 7.1.2.127 110592 Bytes 3/5/2009 21:58:20

Engineversion : 8.2.0.100

AEVDF.DLL : 8.1.1.0 106868 Bytes 1/28/2009 00:36:42

AESCRIPT.DLL : 8.1.1.56 352634 Bytes 2/27/2009 03:01:56

AESCN.DLL : 8.1.1.7 127347 Bytes 2/12/2009 18:44:25

AERDL.DLL : 8.1.1.3 438645 Bytes 10/30/2008 01:24:41

AEPACK.DLL : 8.1.3.10 397686 Bytes 3/4/2009 20:06:10

AEOFFICE.DLL : 8.1.0.36 196987 Bytes 2/27/2009 03:01:56

AEHEUR.DLL : 8.1.0.100 1618295 Bytes 2/25/2009 22:49:16

AEHELP.DLL : 8.1.2.2 119158 Bytes 2/27/2009 03:01:56

AEGEN.DLL : 8.1.1.24 336244 Bytes 3/4/2009 20:06:10

AEEMU.DLL : 8.1.0.9 393588 Bytes 10/9/2008 21:32:40

AECORE.DLL : 8.1.6.6 176501 Bytes 2/17/2009 21:22:44

AEBB.DLL : 8.1.0.3 53618 Bytes 10/9/2008 21:32:40

AVWINLL.DLL : 9.0.0.3 18177 Bytes 12/12/2008 15:47:59

AVPREF.DLL : 9.0.0.1 43777 Bytes 12/5/2008 17:32:15

AVREP.DLL : 8.0.0.3 155905 Bytes 1/20/2009 21:34:28

AVREG.DLL : 9.0.0.0 36609 Bytes 12/5/2008 17:32:09

AVARKT.DLL : 9.0.0.1 292609 Bytes 2/9/2009 14:52:24

AVEVTLOG.DLL : 9.0.0.7 167169 Bytes 1/30/2009 17:37:08

SQLITE3.DLL : 3.6.1.0 326401 Bytes 1/28/2009 22:03:49

SMTPLIB.DLL : 9.2.0.25 28417 Bytes 2/2/2009 15:21:33

NETNT.DLL : 9.0.0.0 11521 Bytes 12/5/2008 17:32:10

RCIMAGE.DLL : 9.0.0.21 2438401 Bytes 2/9/2009 18:45:45

RCTEXT.DLL : 9.0.35.0 87297 Bytes 3/11/2009 22:55:12

Configuration settings for the scan:

Jobname.............................: Complete system scan

Configuration file..................: c:\program files\avira\antivir desktop\sysscan.avp

Logging.............................: low

Primary action......................: interactive

Secondary action....................: ignore

Scan master boot sector.............: on

Scan boot sector....................: on

Boot sectors........................: C:, F:, H:,

Process scan........................: on

Scan registry.......................: on

Search for rootkits.................: on

Integrity checking of system files..: on

Scan all files......................: All files

Scan archives.......................: on

Recursion depth.....................: 20

Smart extensions....................: on

Macro heuristic.....................: on

File heuristic......................: medium

Start of the scan: Thursday, April 09, 2009 16:45

Initiating scan of system files:

Signed -> 'C:\WINDOWS\system32\svchost.exe'

Signed -> 'C:\WINDOWS\system32\winlogon.exe'

Signed -> 'C:\WINDOWS\explorer.exe'

Signed -> 'C:\WINDOWS\system32\smss.exe'

Signed -> 'C:\WINDOWS\system32\wininet.DLL'

Signed -> 'C:\WINDOWS\system32\wsock32.DLL'

Signed -> 'C:\WINDOWS\system32\ws2_32.DLL'

Signed -> 'C:\WINDOWS\system32\services.exe'

Signed -> 'C:\WINDOWS\system32\lsass.exe'

Signed -> 'C:\WINDOWS\system32\csrss.exe'

Signed -> 'C:\WINDOWS\system32\drivers\kbdclass.sys'

Signed -> 'C:\WINDOWS\system32\spoolsv.exe'

Signed -> 'C:\WINDOWS\system32\alg.exe'

Signed -> 'C:\WINDOWS\system32\wuauclt.exe'

Signed -> 'C:\WINDOWS\system32\advapi32.DLL'

Signed -> 'C:\WINDOWS\system32\user32.DLL'

Signed -> 'C:\WINDOWS\system32\gdi32.DLL'

Signed -> 'C:\WINDOWS\system32\kernel32.DLL'

Signed -> 'C:\WINDOWS\system32\ntdll.DLL'

Signed -> 'C:\WINDOWS\system32\ntoskrnl.exe'

Signed -> 'C:\WINDOWS\system32\ctfmon.exe'

The system files were scanned ('21' files)

Starting search for hidden objects.

'44009' objects were checked, '0' hidden objects were found.

The scan of running processes will be started

Scan process 'wmiprvse.exe' - '1' Module(s) have been scanned

Scan process 'avscan.exe' - '1' Module(s) have been scanned

Scan process 'avcenter.exe' - '1' Module(s) have been scanned

Scan process 'avgnt.exe' - '1' Module(s) have been scanned

Scan process 'sched.exe' - '1' Module(s) have been scanned

Scan process 'avguard.exe' - '1' Module(s) have been scanned

Scan process 'msiexec.exe' - '1' Module(s) have been scanned

Scan process 'firefox.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'TeaTimer.exe' - '1' Module(s) have been scanned

Scan process 'ehmsas.exe' - '1' Module(s) have been scanned

Scan process 'alg.exe' - '1' Module(s) have been scanned

Scan process 'dllhost.exe' - '1' Module(s) have been scanned

Scan process 'iPodService.exe' - '1' Module(s) have been scanned

Scan process 'nSvcIp.exe' - '1' Module(s) have been scanned

Scan process 'nSvcAppFlt.exe' - '1' Module(s) have been scanned

Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned

Scan process 'mbamservice.exe' - '1' Module(s) have been scanned

Scan process 'jqs.exe' - '1' Module(s) have been scanned

Scan process 'ehSched.exe' - '1' Module(s) have been scanned

Scan process 'ehRecvr.exe' - '1' Module(s) have been scanned

Scan process 'mDNSResponder.exe' - '1' Module(s) have been scanned

Scan process 'AppleMobileDeviceService.exe' - '1' Module(s) have been scanned

Scan process 'MEMonitor.exe' - '1' Module(s) have been scanned

Scan process 'DevDtct2.exe' - '1' Module(s) have been scanned

Scan process 'kmw_show.exe' - '1' Module(s) have been scanned

Scan process 'dpupdchk.exe' - '1' Module(s) have been scanned

Scan process 'msmsgs.exe' - '1' Module(s) have been scanned

Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned

Scan process 'ctfmon.exe' - '1' Module(s) have been scanned

Scan process 'mbamgui.exe' - '1' Module(s) have been scanned

Scan process 'jusched.exe' - '1' Module(s) have been scanned

Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned

Scan process 'ehtray.exe' - '1' Module(s) have been scanned

Scan process 'itype.exe' - '1' Module(s) have been scanned

Scan process 'kmw_run.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'iTunesHelper.exe' - '1' Module(s) have been scanned

Scan process 'LCDClock.exe' - '1' Module(s) have been scanned

Scan process 'LCDMedia.exe' - '1' Module(s) have been scanned

Scan process 'rundll32.exe' - '1' Module(s) have been scanned

Scan process 'LCDMon.exe' - '1' Module(s) have been scanned

Scan process 'explorer.exe' - '1' Module(s) have been scanned

Scan process 'spoolsv.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'svchost.exe' - '1' Module(s) have been scanned

Scan process 'lsass.exe' - '1' Module(s) have been scanned

Scan process 'services.exe' - '1' Module(s) have been scanned

Scan process 'winlogon.exe' - '1' Module(s) have been scanned

Scan process 'csrss.exe' - '1' Module(s) have been scanned

Scan process 'smss.exe' - '1' Module(s) have been scanned

54 processes with 54 modules were scanned

Starting master boot sector scan:

Start scanning boot sectors:

Starting to scan executable files (registry).

The registry was scanned ( '54' files ).

Starting the file scan:

Begin scan in 'C:\'

C:\pagefile.sys

[WARNING] The file could not be opened!

[NOTE] This file is a Windows system file.

[NOTE] This file cannot be opened for scanning.

C:\System Volume Information\_restore{34A19403-3599-4E98-B6CD-42BBBDDF86A0}\RP85\A0042360.exe

[DETECTION] Is the TR/Trash.Gen Trojan

C:\System Volume Information\_restore{34A19403-3599-4E98-B6CD-42BBBDDF86A0}\RP85\A0042493.exe

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

Begin scan in 'F:\' <New Volume>

Begin scan in 'H:\'

H:\Trend Micro\Internet Security 2005\Quarantine\11.tmp

[0] Archive type: HIDDEN

--> FIL\\\?\H:\Trend Micro\Internet Security 2005\Quarantine\11.tmp

[DETECTION] Is the TR/Dldr.Small.aaq.2 Trojan

H:\Trend Micro\Internet Security 2005\Quarantine\6.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

H:\Trend Micro\Internet Security 2005\Quarantine\8.tmp

[0] Archive type: HIDDEN

--> FIL\\\?\H:\Trend Micro\Internet Security 2005\Quarantine\8.tmp

[DETECTION] Is the TR/Dldr.Small.aaq.2 Trojan

H:\Trend Micro\Internet Security 2005\Quarantine\A.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

H:\Trend Micro\Internet Security 2005\Quarantine\F.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\11.tmp

[0] Archive type: HIDDEN

--> FIL\\\?\H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\11.tmp

[DETECTION] Is the TR/Dldr.Small.aaq.2 Trojan

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\6.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\8.tmp

[0] Archive type: HIDDEN

--> FIL\\\?\H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\8.tmp

[DETECTION] Is the TR/Dldr.Small.aaq.2 Trojan

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\A.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\F.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

Beginning disinfection:

C:\System Volume Information\_restore{34A19403-3599-4E98-B6CD-42BBBDDF86A0}\RP85\A0042360.exe

[DETECTION] Is the TR/Trash.Gen Trojan

[NOTE] The file was moved to '4a0e8d9c.qua'!

C:\System Volume Information\_restore{34A19403-3599-4E98-B6CD-42BBBDDF86A0}\RP85\A0042493.exe

[DETECTION] Is the TR/Drop.Softomat.AN Trojan

[NOTE] The file was moved to '4b7bf895.qua'!

H:\Trend Micro\Internet Security 2005\Quarantine\11.tmp

[NOTE] The file was moved to '4a0c8d9d.qua'!

H:\Trend Micro\Internet Security 2005\Quarantine\6.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

[NOTE] The file was moved to '4a528d9a.qua'!

H:\Trend Micro\Internet Security 2005\Quarantine\8.tmp

[NOTE] The file was moved to '4b26e0db.qua'!

H:\Trend Micro\Internet Security 2005\Quarantine\A.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

[NOTE] The file was moved to '4b24f14b.qua'!

H:\Trend Micro\Internet Security 2005\Quarantine\F.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

[NOTE] The file was moved to '4b292e23.qua'!

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\11.tmp

[NOTE] The file was moved to '4b76166e.qua'!

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\6.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

[NOTE] The file was moved to '4c240053.qua'!

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\8.tmp

[NOTE] The file was moved to '4c2a10c3.qua'!

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\A.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

[NOTE] The file was moved to '4c2b28bb.qua'!

H:\Program Files\Trend Micro\Internet Security 2005\Quarantine\F.tmp

[DETECTION] Contains a recognition pattern of the (harmful) BDS/Agent.EC back-door program

[NOTE] The file was moved to '4c29392b.qua'!

End of the scan: Thursday, April 09, 2009 17:06

Used time: 19:48 Minute(s)

The scan has been done completely.

9261 Scanned directories

272710 Files were scanned

12 Viruses and/or unwanted programs were found

0 Files were classified as suspicious

0 files were deleted

Link to post
Share on other sites

  • Root Admin

Well you can user Trend if you like it. Just didn't see any. MBAM is an Anti-Malware product which is not the same as Anti-Virus and BOTH type of products are needed. Often Anti-Virus suites include Anti-Malware these days, but often are not as up to date and rapid as MBAM is.

You can go into the Trend quarantine folder and delete all of those files now.

The system looks clean and good to go now.

How is the computer running now?

Are there still any signs of infection?

Do you have any other concerns before I finish up with closing information and actually close your post?

Link to post
Share on other sites

Thanks for explaining the difference. As you can tell, I don't know much about this stuff.

The computer is running fine. I haven't noticed any issues. I'm still puzzled about how those two viruses 'disappeared' - they were there so long (2 months!) and MBAM could never remove them. Then one day I run it, and they are gone - not even detected, just gone. But if the system looks clean now, after all this, then I guess I'll believe it.

Thanks for all your help. You really were persistent and clear in your communication.

Link to post
Share on other sites

  • Root Admin

MBAM gets updated numerous times throughout the day with new instructions on how to detect and remove new threats. So basically in effect it gets smarter each day. Then when you updated MBAM it now knew how to detect AND remove it, so it did.

We reviewed and removed some other undesirable items using other tools so now your system appears to be clean.

The GUARD of Avira should always be enabled. It monitors suspicious files continuously when it's on so that it can protect you. If you have it off you could potentially get infected by something that it knew to stop, but you had it off so it didn't stop it.

Great, all looks good now.

I'll close your post soon so that other don't post into it and leave you with this information and suggestions.

So how did I get infected in the first place?

At this time your system appears to be clean. Nothing else in the logs indicates that you are still infected.

Now that you appear to be clean, please follow these simple steps in order to keep your computer clean and secure:

Remove all but the most recent Restore Point on Windows XP

You should
Create a New Restore Point
to prevent possible reinfection from an old one.

Some of the malware you picked up could have been saved in System Restore.

Since this is a protected directory your tools cannot access to delete these files, they sometimes can reinfect your system if you accidentally use an old restore point.

Setting a new restore point AFTER cleaning your system will help prevent this and enable your computer to
"roll-back"
to a clean working state.

The easiest and safest way to do this is

:
  • Go to
    Start
    >
    Programs
    >
    Accessories
    >
    System Tools
    and click "
    System Restore
    ".
  • If the shortcut is missing you can also click on
    START
    >
    RUN
    > and type in
    %SystemRoot%\system32\restore\rstrui.exe
    and click OK

  • Choose the radio button marked "
    Create a Restore Point
    " on the first screen then click "
    Next
    ".

  • Give the new Restore Point a name, then click "
    Create
    ".

  • The new point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.

  • Then use the
    Disk Cleanup
    to remove all but the most recently created Restore Point.
  • Go to
    Start
    >
    Run
    and type:
    Cleanmgr.exe

  • Select the drive where Windows is installed and click "
    Ok
    ". Disk Cleanup will scan your files for several minutes, then open.

  • Click the "
    More Options
    " tab, then click the "
    Clean up
    " button under System Restore.

  • Click Ok. You will be prompted with "
    Are you sure you want to delete all but the most recent restore point?
    "

  • Click
    Yes
    , then click Ok.

  • Click
    Yes
    again when prompted with "
    Are you sure you want to perform these actions?
    "

  • Disk Cleanup will remove the files and close automatically.

  • On the
    Disk Cleanup
    tab, if the
    System Restore: Obsolete Data Stores
    entry is available remove them also.

  • These are files that were created before Windows was reformatted or reinstalled. They are obsolete and you can delete them.

selectdrivecleanup.pngselectdrivecleanup1.png

Additional information

Microsoft KB article: How to turn off and turn on System Restore in Windows XP

Bert Kinney's site: All about Windows System Restore

Here are some free programs I recommend that could help you improve your computer's security.

Install SpyWare Blaster

Download it from here

Find here the tutorial on how to use Spyware Blaster here

Install WinPatrol

Download it from here

Here you can find information about how WinPatrol works here

Install FireTrust SiteHound

You can find information and download it from here

Install hpHosts

Download it from here

hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad,

tracking and malicious websites. This prevents your computer from connecting to these untrusted sites

by redirecting them to 127.0.0.1 which is your own local computer.

hpHosts Support Forum

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

You can use one of these sites to check if any updates are needed for your pc.

Secunia Software Inspector

F-secure Health Check

Visit Microsoft often to get the latest updates for your computer.

http://www.update.microsoft.com

Note 1: If you are running Windows XP SP2, you should upgrade to SP3.

Note 2: Users of Norton Internet Security 2008 should uninstall the software before they install Service Pack 3.

The security suite can then be reinstalled afterwards.

The windows firewall is not sufficient to protect your system. It doesn't monitor outgoing traffic and this is a must.

I recommend Online Armor Free

A little outdated but good reading on how to prevent Malware

Keep safe online and happy surfing.

Since this issue is resolved I will close the thread to prevent others from posting into it. If you need assistance please start your own topic and someone will be happy to assist you.

The fixes and advice in this thread are for this machine only. Do not apply to your machine unless you Fully Understand how these programs work and what you're doing. Please start a thread of your own and someone will be happy to help you, just follow the Pre-Hijackthis instructions found here before posting Pre- HJT Post Instructions

Also don't forget that we offer FREE assistance with General PC questions and repair here PC Help

If you're pleased with the product Malwarebytes and the service provided you, please let your friends, family, and co-workers know. http://www.malwarebytes.org

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.